Kubernetes實錄(7) Kubernets集成基於harbor構建的私有鏡像倉庫配置

Kubernetes實錄系列記錄文檔完整目錄參考: Kubernetes實錄-目錄

相關記錄鏈接地址 ：

• 第一篇：配置企業級鏡像倉庫Harbor
• 第二篇：配置企業級鏡像倉庫harbor升級版本
• 第七篇：Kubernetes集成基於harbor構建的私有鏡像倉庫配置

一、Harbor鏡像倉庫環境

主機名稱	ip地址	操作系統	角色	軟件版本	備註
k8sproxy-hzbatst-1	10.120.67.25	CentOS 7.5	proxy, registry	haproxy docker-ce 18.06.1 docker-compose 1.22.0 harbor 1.6.1

Harbor服務的搭建文檔參考Kubernetes初體驗(1) 配置企業級鏡像倉庫Harbor

二、harbor與kubernetes集成

1. 自簽發證書在kubernetes節點上的配置[所有節點]

# harbor節點上
cp /opt/app/harbor/certs/harbor.example.com.crt /etc/pki/ca-trust/source/anchors/ca.crt

# 在kubernetes節點，也就是harbor的client端執行
mkdir -p /etc/docker/certs.d/harbor.ejuops.com

# 將自簽發根證書信息拷貝到kubernetes節點，也就是harbor的client端
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/pki/ca-trust/source/anchors/ca.crt

scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/docker/certs.d/harbor.ejuops.com/ca.crt

2. 配置secret保存harbor（registry）認證信息

保證相關namespace已經創建

# cat  ns_eju-test.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: eju-test

kubectl apply -f ns_eju-test.yaml
kubectl get ns 

創建secret保存harbor登錄認證信息

kubectl create secret docker-registry harbor-test --namespace=eju-test \
        --docker-server=harbor.example.com --docker-username='eju_test_visitor' \
        --docker-password='EJU@test1234' \
        --docker-email='[email protected]'

kubectl get secret -n eju-test
		harbor-test           kubernetes.io/dockerconfigjson        1      73m

3. 測試鏡像拉取（yaml）

# 確保harbor裏面已經有相關鏡像
docker push nginx:1.14
docker tag nginx:1.14  harbor.example.com/eju-test/nginx:1.14
docker pull harbor.example.com/eju-test/nginx:1.14

# cat app_nginx.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    run: nginx-app
  name: nginx-app
  namespace: eju-test
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx-app
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        run: nginx-app
    spec:
      containers:
      - name: nginx-app
        image: harbor.ejuops.com/eju-test/nginx:1.14
        ports:
        - containerPort: 80
          protocol: TCP
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      imagePullSecrets:
      - name: harbor-test

kubectl apply -f app_nginx.yaml 
kubectl get pod -n eju-test -o wide
	NAME                        READY   STATUS    RESTARTS   AGE   IP             NODE                NOMINATED NODE
	nginx-app-888548bb4-zhxwk   1/1     Running   0          18m   192.168.3.15   k8snode-hzbatst-1   <none>

curl 192.168.3.15
	... ..
	<h1>Welcome to nginx!</h1>